Checklist

We recommend that you seek legal counsel to ensure that your church is completely compliant with GDPR. However, here are a number of steps you can take to try and make sure your church is in the best position possible:

Learn about the different lawful bases for holding and processing data, and consider which apply to your church. Document these where necessary.

Where you need consent, document existing permissions and make sure they are still valid under GDPR.

Where you need fresh consent, request it in a way which allows individuals to give you explicit, opt-in, clear, comprehensive consent. Document this consent.

Ensure that you have documented processes in place to request, record, and manage consent.

Make a list of all the data you do or might collect from individuals. Try to be as comprehensive as possible.

Document all the ways in which you might use that data, from rota reminders to room booking to wedding ceremonies to spiritual and pastoral counselling.

Consider all the different media you use to hold and process said data, from spiral notebooks to smartphones.

Put a procedures in place to make sure you can respond correctly to requests to exercise the Right to Access, the Right to Rectification, the Right to Erasure, the Right to Restrict Processing, the Right to Object, and Rights Related to Data Portability or Automated Decision-Making.

Document these procedures and make them available to all individuals, both at first contact and ongoing.

Make it clear to all individuals who they should contact to exercise their rights.

Be extra careful when it comes to children’s data. Have documented processes in place to ensure you are managing it correctly.

Ensure that your privacy information and other documentation is clear and precise to enable children to understand.

Make your Privacy Policies/Notices available to all individuals.

Document your policies around fundraising and marketing.

Make sure you have valid consent, where you need it, for fundraising and marketing.

Provide training to all church staff and volunteers to ensure they have a good knowledge of Data Protection and how it is managed within your church.

Appoint a Data Protection Officer if you need one, or;

Appoint a person or persons to be in charge of Data Protection and hold your organisation accountable.

Wherever possible, integrate Data Protection into every aspect of church administration, by streamlining procedures or using an holistic service like iKnow Church Software.